You are browsing the archive for File Formats ZOO.

File Formats ZOO – Installers

April 30, 2012 in File Formats ZOO

Continuing on my previous post I am adding some more information about file signatures.

First, the illustration :)

One of the types of Portable Executable file format that is not so often discussed are installers. For these who don’t know, in most cases a typical installer for Windows is a standalone Portable Executable file with some extra data appended to it (with a notable exception of .msi files that are containers handles by the Windows Installer).

The installer file usually contains two parts. The first part is a standalone setup file that is unique and identical across all installers created with the same version of the (installation) packager/wizard/script. The second part is the actual software that is about to be installed – often preserved in a compressed/encrypted way. The most popular installers include Nullsoft Scriptable Install System (NSIS) and Inno Setup, but there are literally hundreds of them available.

Let me say here that ‘installer’ is a very wide term and can include pretty much any .exe file with any file appended to its end and in some cases – files embedded inside the main .exe (either directly as a data/encrypted data, or as a resource embedded within a resource section). Many well-known formats are used as an appended data. So, one can find .exes with appended JPG files, Flash Movies, other .exe files and many other variants. One very popular type of installers (even if they don’t necessarily classify as a software installer) are self extracting archives e.g. RarSFX, CABSFX, 7ZSFX, etc. All of these are treated here equally ==> .exe + something appended to it.

From a forensic perspective, determining that some .exe is an installer could help in data reduction as long as we can confirm the installer has been executed on the investigated system. All you have to do is to extract the installer and run it in a test environment. The collected artifacts can be then removed from the local copy of the evidence e.g. by a file name. If you remember my preaching post a few days ago on speeding up case processing – deleting files created by a confirmed installer could be a good thing to do /as long as the installer itself is out of scope/. Let’s not overlook this possibility as removing thousands of small files created by software packages often present on the investigated systems could be a very good data reduction technique. Whether it is Java Runtime Environment, Microsoft Visual Studio, Adobe software, or any other large package, we could save a lot of time simply removing these from our view. While I am saying this, I must emphasize that this is a very unexplored area and needs both more research and new tools. Still, any data reduction technique available to an examiner is more than needed and whoever gets it right and gets there first will be cracking cases in no time.

MZ...PE... I.n.s.t.a.l.l.S.h.i.e.l.d.

InstallShield Installer. Contains no appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
62 29 00 00 00 00 00 00 00 00 50 45 00 00 4C 01  b)........PE..L.
00 23 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E  .#...C.o.m.p.a.n
00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 49  .y.N.a.m.e.....I
00 6E 00 73 00 74 00 61 00 6C 00 6C 00 53 00 68  .n.s.t.a.l.l.S.h
00 69 00 65 00 6C 00 64 00 20 00 53 00 6F 00 66  .i.e.l.d. .S.o.f
MZ...PE... _winzip_ …

A self extracting WinZip32 executable. Contains stub (archive extractor) and a typical Zip file. There is no appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 F0 A4 F5 47 00 00 00 00  PE..L......G....
00 00 00 00 E0 00 03 01 0B 01 08 00 00 E0 00 00  ................
...
[section table]
2E 74 65 78 74 00 00 00 B4 D5 00 00 00 10 00 00  .text...........
00 E0 00 00 00 10 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 00  .... ..`.rdata..
42 29 00 00 00 F0 00 00 00 30 00 00 00 F0 00 00  B).......0......
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  ............@..@
2E 64 61 74 61 00 00 00 DC 54 00 00 00 20 01 00  .data....T... ..
00 20 00 00 00 20 01 00 00 00 00 00 00 00 00 00  . ... ..........
00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00  ....@....rsrc...
88 91 00 00 00 80 01 00 00 A0 00 00 00 40 01 00  .............@..
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  ............@..@
5F 77 69 6E 7A 69 70 5F 00 30 0A 00 00 20 02 00  _winzip_.0... ..
00 30 0A 00 00 E0 01 00 00 00 00 00 00 00 00 00  .0..............
00 00 00 00 40 00 00 42                          ....@..B
MZ...PE... | … dbload

A perl script converted into an executable with a perl2exe utility.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 1C B2 B8 3B 00 00 00 00  PE..L......;....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 10 00 00  ................
[Appended data]
64 62 6C 6F 61 64 20 31 2E 30 20 73 69 67 6E 61  dbload 1.0 signa
74 75 72 65 0D 0A 0D 0A 80 80 80 80 80 80 80 80  ture............
MZ...PE... | !sfx!.

Self extracting WinAce installer/archive.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 DE 01 00  ................
[Appended data]
21 73 66 78 21 00 53 03 00 00 00 01 B8 AF 00 00  !sfx!.S.........
01 00 00 00 11 00 00 00 06 00 00 00 14 00 00 00  ................
MZ...PE... | 7z

Self extracting 7z installer/archive. Contains stub (archive extractor) and a typical 7z archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 49 B5 57 47 00 00 00 00  PE..L...I.WG....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 92 01 00  ................
[Appended data]
37 7A BC AF 27 1C 00 02 E1 AB 8F 68 7E DB C6 00  7z..'......h~...
00 00 00 00 26 00 00 00 00 00 00 00 37 1C 2D 11  ....&.......7.-.
MZ...PE... | BZh

Self extracting Bzip2 installer/archive. Contains stub (archive extractor) and a typical Bzip2 archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 B4 CE 3D 3C 00 00 00 00  PE..L.....=<....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 A0 01 00  ................
[Appended data]
42 5A 68 39 31 41 59 26 53 59 75 91 99 30 00 02  BZh91AY&SYu..0..
D9 7F FF FF DF FB FF E3 F5 FF FF FF FF FF FF FF  ...............
MZ...PE... | CWS

Macromedia Flash Player. Contains stub (flash player) and a typical compressed Flash file (CWS).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 06 00 38 AD 57 3F 00 00 00 00  PE..L...8.W?....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 0C 00  ................
...
[Appended data]
43 57 53 07 5E 9A 01 00 78 9C BC 3B 5B 90 1C D5  CWS.^...x..;[...
75 67 7A 7A 66 7A DF 0F AD 34 7A EC 4A 42 12 82  ugzzfz...4z.JB..
MZ...PE... | FWS

Macromedia Flash Player. Contains stub (flash player) and a typical Flash file (FWS).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 FD 8A 49 37 00 00 00 00  PE..L.....I7....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 03 00  .............0..
[Appended data]
46 57 53 04 ED A0 03 00 70 00 09 C4 00 00 FA 00  FWS.....p.......
00 0C 54 00 43 02 FF FF FF 00 06 44 0B 06 00 00  ..T.C......D....
MZ...PE... | … IFCM

Microsoft Help 2.x.

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00  MZ..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00  PE..L...........
00 00 00 00 E0 00 01 20 0B 01 00 00 00 00 00 00  ....... ........
[Appended data]
49 46 43 4D 01 00 00 00 00 20 00 00 00 00 10 00  IFCM..... ......
FF FF FF FF FF FF FF FF 09 00 00 00 00 00 00 00  ................…
MZ...PE... | Inno Setup

Inno Setup installer.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8F 81 0B 01 02 19 00 90 00 00  ................
[Appended data]
49 6E 6E 6F 20 53 65 74 75 70 20 53 65 74 75 70  Inno Setup Setup
20 44 61 74 61 20 28 35 2E 31 2E 31 33 29 00 00   Data (5.1.13)..
MZ...PE... | MZ

An executable with the appended data that probably contains another executable. It may be either a custom installer or a wrapper.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 0E 04 00  ................
[Appended data]
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
MZ...PE... | Rar!

A self extracting WinRar executable. Contains stub (archive extractor) and a typical Rar file.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 E6 68 F2 46 00 00 00 00  PE..L....h.F....
00 00 00 00 E0 00 0F 01 0B 01 05 00 00 40 01 00  .............@..
[Appended data]
52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00  Rar!.....s......
00 00 00 00 83 59 7A 00 80 23 00 6E 00 00 00 6E  .....Yz..#.n...n
MZ... PE... | SQ5SFX

Squeez self-extracting executable.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 BA 1F 9F 48 00 00 00 00  PE..L......H....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00  ................
[Appended data]
53 51 35 53 46 58 CE B0 01 00 05 00 00 00 C7 0C  SQ5SFX..........
00 00 5B 64 65 73 63 72 69 70 74 69 6F 6E 5D 0D  ..[description].
MZ... PE... | sRBV... ResJ

AWinstall Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 94 AD EF 47 00 00 00 00  PE..L......G....
00 00 00 00 E0 00 03 01 0B 01 09 00 00 C6 01 00  ................
[Appended data]
73 52 42 56 06 68 1F 00 16 68 1F 00 06 03 00 00  sRBV.h...h......
52 65 73 4A 7F FF FB 81 C1 79 91 46 DE D1 BB 72  ResJ.....y.F...r
MZ...PE... | Smart Install Maker

Installer created with Smart InstallMaker.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 62 01 00  .............b..
[Appended data]
53 6D 61 72 74 20 49 6E 73 74 61 6C 6C 20 4D 61  Smart Install Ma
6B 65 72 20 76 2E 20 35 2E 30 30 00 30 00 30 00  ker v. 5.00.0.0.
MZ...PE... | SZDD

Executable with appended file being SZDD archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 05 00 CE F8 9B 3E 00 00 00 00  PE..L......>....
00 00 00 00 E0 00 0E 01 0B 01 04 14 00 0C 01 00  ................
...
[Appended data]
53 5A 44 44 88 F0 27 33 41 6D F0 A3 01 00 FF 49  SZDD..'3Am.....I
54 53 46 03 00 00 00 F5 60 F5 F0 01 F5 F0 33 15  TSF.....`.....3.
MZ...PE... | wwgT

Installer created with Install Creator.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 C0 9F C2 41 00 00 00 00  PE..L......A....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 01 00  .............0..
[Appended data]
77 77 67 54 29 48 35 14 01 00 6E 02 00 00 F2 06  wwgT)H5...n.....
00 00 01 78 DA AD 94 4F 68 13 41 14 C6 DF EE 6C  ...x...Oh.A....l
MZ...PE... | 0xA3 HK

AutoIt or AutoHotkey script.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 A2 3E 49 47 00 00 00 00  PE..L....>IG....
00 00 00 00 E0 00 23 01 0B 01 08 00 00 70 03 00  ......#......p..
[Appended data]
A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D  .HK..lJ..LS...H}
41 55 33 21 45 41 30 36 F0 6B 89 18 C1 BC 11 F7  AU3!EA06.k......
MZ...PE... | 0xEF 0xBE 0xAD 0xDE nsisinstall

Old version of Nullsoft Installer. Note characteristic hex string “DEADBEEF” (0xEFBEADDE) at the beginning of the appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 85 A8 25 3A 00 00 00 00  PE..L.....%:....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 60 00 00  .............`..
[Appended data]
EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00  ....nsisinstall.
0D F0 AD 0B 2C 13 00 00 D1 46 09 00 44 46 58 20  ....,....F..DFX
MZ... PE... |  …0xEF 0xBE 0xAD 0xDE... NullsoftInst

Nullsoft Installer. Note characteristic hex string “DEADBEEF” (0xEFBEADDE) at the beginning of the appended data. In some cases, versions of Nullsoft Installer can be found inside the manifest (in the resources of PE executable).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 1A 5A A0 49 00 00 00 00  PE..L....Z.I....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 5C 00 00  .............\..
00 00 00 00 EF BE AD DE 4E 75 6C 6C 73 6F 66 74  ........Nullsoft
49 6E 73 74 1D 27 02 00 33 90 17 00 5D 00 00 80  Inst.'..3...]...
MZ...PE... | … PK

A self extracting Zip executable. Contains stub (archive extractor) and a Zip file.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 5A F5 36 48 00 00 00 00  PE..L...Z.6H....
00 00 00 00 E0 00 03 01 0B 01 08 00 00 00 01 00  ................
[End of file]
50 4B 05 06 00 00 00 00 04 00 04 00 EF 00 00 00  PK..............
FF 99 48 01 00 00 00 00 00 00 00 00 50 15 00 00  ..H.........P...
MZ... PE...  | … Wise

WISE Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 3F 6C D8 3B 00 00 00 00  PE..L...?l.;....
00 00 00 00 E0 00 0F 05 0B 01 06 00 00 22 00 00  ............."..
[Appended data]
57 69 73 65 20 49 6E 73 74 61 6C 6C 61 74 69 6F  Wise Installatio
6E 20 57 69 7A 61 72 64 2E 2E 2E 00 ED 5B CD 8F  n Wizard.....[..
MZ...PE... | … ESIV

VISE Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 05 00 49 E3 5E 37 00 00 00 00  PE..L...I.^7....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00  ................
...
[End of file]
DA E1 E1 47 47 DA DA E1 E1 47 47 DA DA E1 E1 47  ...GG....GG....G
8F D9 A8 DE F4 9C 03 FF 45 53 49 56 00 10 01 00  ........ESIV....

File Formats ZOO

April 30, 2012 in File Formats ZOO

In 2009 my wife drawn a lovely illustration for my upcoming book about malware analysis. Unfortunately, I couldn’t complete the book (for various reasons) and her work never saw it to the printer. I really liked that illustration though and have been always thinking that I will find a way to use it one day. Today is the day and I present it to you, together with a short information on some most popular file formats. File formats is a topic that has been discussed so many times that it is not even worth mentioning, yet I do hope that while skimming the short information below, you will still find something new there. I have more interesting file signatures to come and will publish them when I complete binary snapshots. Illustration will be there too :)

0x00 0x00 0x01 0x00

Windows Icon file (*.ico).

00 00 01 00 01 00 20 20 10 00 00 00 00 00 E8 02  ……  ……..

00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00  ……(… …@.

0x00 0x00 0x01

Mpg movie (*.mpg, *.mpe, *.mpeg).

00 00 01 BA 21 00 01 00 0F 80 0D F9 00 00 01 BB  .!………..

00 0C 80 0D F9 07 E1 FF B8 C0 20 B9 E0 28 00 00  ………. ..(..

0x00 0x01 0x00 0x00 Standard Jet DB

Microsoft Access database  (*.mdb, *.accdb).

00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74  ….Standard Jet

20 44 42 00 00 00 00 00 B5 6E 03 62 60 09 C2 55   DB……n.b`..U

. . 0x0D 0x0A

Python compiler script  (*.pyc).

D1 F2 0D 0A 7E 74 F3 47 63 00 00 00 00 00 00 00  ....~t.Gc…….

00 0B 00 00 00 40 00 00 00 73 FD 00 00 00 64 00  …..@…s….d.

0x1F 0x8B

Tar archive compressed using gzip (*.tgz).

1F 8B 08 00 03 83 74 3A 02 03 EC 3C FD 73 DB 36  ……t:…<.s.6

B2 FD D5 FC 2B 30 8E A6 B6 72 16 15 F9 2B 17 B9  ….+0…r…+..

!<arch>

Library file (*.lib).

21 3C 61 72 63 68 3E 0A 2F 20 20 20 20 20 20 20  !<arch>./

20 20 20 20 20 20 20 20 31 31 32 36 39 34 35 34          11269454

!<arch>.debian-binary

Debian software package (*.deb).

21 3C 61 72 63 68 3E 0A 64 65 62 69 61 6E 2D 62  !<arch>.debian-b

69 6E 61 72 79 20 20 20 31 32 30 36 36 34 30 32  inary   11066402

%PDF

PDF document File (*.pdf).

25 50 44 46 2D 31 2E 33 0D 25 E2 E3 CF D3 0D 0A  %PDF-1.3.%……

36 20 30 20 6F 62 6A 0D 3C 3C 20 0D 2F 4C 69 6E  6 0 obj.<< ./Lin

.RMF

RMVB movie (*.rm, *.rmvb).

2E 52 4D 46 00 00 00 12 00 01 00 00 00 00 00 00  .RMF…………

00 07 50 52 4F 50 00 00 00 32 00 00 00 1C FD E0  ..PROP…2……

0& 0xB2 u

ASF or WMV movie (*.asf, *.wmv).

30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C  0&.u.f…….b.l

85 02 00 00 00 00 00 00 05 00 00 00 01 02 A1 DC  …………….

7z

7Zip archive (*.7z).

37 7A BC AF 27 1C 00 03 11 05 8F B2 13 00 00 00  7z..’………..

00 00 00 00 54 00 00 00 00 00 00 00 8F 51 A0 B5  ….T……..Q..

?_

Old Windows Help format (*.hlp).

3F 5F 03 00 0C 01 00 00 FF FF FF FF 1B 39 00 00  ?_………..9..

FC 00 00 00 F3 00 00 00 00 6C 03 21 00 01 00 21  ………l.!…!

BM

Bitmap file (*.bmp).

42 4D 38 00 1B 00 00 00 00 00 36 00 00 00 28 00  BM8…….6…(.

00 00 00 03 00 00 40 02 00 00 01 00 20 00 00 00  ……@….. …

BZh

Archive compressed using Bzip2 (*.bz, *.bz2, *.bzip2).

42 5A 68 39 31 41 59 26 53 59 B6 0D 89 62 00 8F  BZh91AY&SY…b..

C8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ……………….

CWS

Compressed Flash movie (*.swf).

43 57 53 08 AD C6 00 00 78 9C E4 BD 07 5C 13 CB  CWS…..x….\..

F7 28 3E 1B 12 B2 81 D0 41 50 83 62 07 41 11 EC  .(>…..AP.b.A..

d8:announce

Torrent file (*.torrent).

64 38 3A 61 6E 6E 6F 75 6E 63 65 33 39 3A 68 74  d8:announce39:ht

74 70 3A 2F 2F 74 6F 72 72 65 6E 74 2E 75 62 75  tp://torrent.ubu

FLV

Flash Video file (*.flv).

46 4C 56 01 05 00 00 00 09 00 00 00 00 12 00 01  FLV.…………

C2 00 00 00 00 00 00 00 02 00 0A 6F 6E 4D 65 74  ………..onMet

…ftyp

Quicktime movie (*.mov).

00 00 00 20 66 74 79 70 71 74 20 20 20 05 03 00  … ftypqt   …

71 74 20 20 00 00 00 00 00 00 00 00 00 00 00 00  qt  …………

From: <Saved by Windows Internet Explorer>

MIME HTML archive which may contain various files saved in a MIME format (*.mht).

46 72 6F 6D 3A 20 3C 53 61 76 65 64 20 62 79 20  From: <Saved by

57 69 6E 64 6F 77 73 20 49 6E 74 65 72 6E 65 74  Windows Internet

20 45 78 70 6C 6F 72 65 72 20 37 3E 0D 0A 53 75   Explorer 7>..Su

GIF87a

Picture saved in GIF 87a format (*.gif).

47 49 46 38 37 61 59 00 6D 00 F7 00 00 00 00 00  GIF87aY.m…….

00 00 40 00 00 80 00 00 FF 00 20 00 00 20 40 00  ..@……. .. @.

GIF89a

Picture saved in GIF 89a format (*.gif).

47 49 46 38 39 61 01 00 01 00 80 00 00 FF FF FF  GIF89a……….

00 00 00 21 F9 04 01 00 00 00 00 2C 00 00 00 00  …!…….,….

ID3

Mp3 music file (*.mp3).

49 44 33 03 00 00 00 00 06 46 54 45 4E 43 00 00  ID3……FTENC..

00 01 40 00 00 00 00 00 00 00 00 00 02 00 00 00  ..@………….

IDA1

The database of IDA Pro disassembler (*.ida).

49 44 41 31 00 00 3E 00 00 00 43 60 01 00 48 E0  IDA1..>…C`..H.

01 00 00 00 00 00 4D 20 02 00 DD CC BB AA 01 00  ……M ……..

II

Image saved in TIFF (Intel) file format (*.tif, *.tiff).

49 49 2A 00 18 CA 34 00 2C 30 33 35 37 3B 34 35  II*…4.,0357;45

39 38 38 3D 38 37 3C 35 34 39 33 31 36 31 2F 34  988=87<5493161/4

ISC(

InstallShield Cabinet File (*.cab). Requires a separate installer called setup.exe.

49 53 63 28 0C 60 00 01 00 00 00 00 00 02 00 00  ISc(.`……….

00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00  …………….

ITSF

Windows Help File (*.chm).

49 54 53 46 03 00 00 00 60 00 00 00 01 00 00 00  ITSF….`…….

40 62 C0 46 09 04 00 00 10 FD 01 7C AA 7B D0 11  @b.F…….|.{..

KGB_arch

Archive file created by KGB compression utility (*.kgb).

4B 47 42 5F 61 72 63 68 20 2D 33 0D 0A 32 35 30  KGB_arch -3..250

30 33 32 09 72 65 61 64 6D 65 2E 74 78 74 0D 0A  032.readme.txt..

L 0x00 0x00 0x00

Windows shortcut file (*.lnk).

4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00  L……………

00 00 00 46 CB 40 00 00 20 00 00 00 F4 AA 17 AE  …F.@.. …….

L 0x01 0x05

Object file (*.obj).

4C 01 05 00 67 20 93 45 76 0A 00 00 3C 00 00 00  L...g .Ev…<…

00 00 00 00 2E 74 65 78 74 00 00 00 00 00 00 00  …..text…….

MM

Image saved in TIFF (Motorola) file format (*.tif, *.tiff).

4D 4D 00 2A 00 00 0D 32 81 FF CD FF FB FF FF FE  MM.*…2……..

01 FF FD FA FE 06 FF FE FE FF FE FE FF FF FE FD  …………….

…moov

Quicktime movie (*.mov).

00 00 41 DE 6D 6F 6F 76 00 00 00 6C 6D 76 68 64  ..A.moov…lmvhd

00 00 00 00 BD 38 15 59 BD 38 15 59 00 00 02 58  …..8.Y.8.Y…X

MP+

Musepack Audio File (*.mpc).

4D 50 2B 07 81 35 00 00 00 00 C0 5F 00 00 00 00  MP+..5….._….

00 00 00 00 00 00 C0 80 F7 07 02 73 5A 3B 8B 80  ………..sZ;..

MSCF

Microsoft Cabinet File  (*.cab).

4D 53 43 46 00 00 00 00 8E 07 3E 00 00 00 00 00  MSCF……>…..

2C 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00  ,……………

MZ

Windows/DOS executable (*.exe, *.dll, *.sys, *.cpl, *.ocx, and others).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ…………..

B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ……..@…….

OggS

Music file saved in OggS format (*.ogg).

4F 67 67 53 00 02 00 00 00 00 00 00 00 00 67 0B  OggS……….g.

00 00 00 00 00 00 46 7D C7 F2 01 1E 01 76 6F 72  ……F}…..vor

PK

Zip Archive;  used by Java (e.g. JAR files) and Microsoft Office 2007 (*.zip, *.jar, *.docx, and others).

50 4B 03 04 14 00 02 00 00 00 F8 43 36 38 00 00  PK………C68..

00 00 00 00 00 00 00 00 00 00 16 00 00 00 45 78  …………..Ex

Rar!

Rar Archive (*.rar, *.r00, *.r01, …, part1.rar, part2.rar, …).

52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00  Rar!…..s……

00 00 00 00 31 A3 74 C0 90 2E 00 3F F9 3B 00 00  ….1.t….?.;..

regf

Windows registry file (*.dat, *.<no extension>).

72 65 67 66 01 00 00 00 01 00 00 00 00 00 00 00  regf…………

00 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00  …………….

RIFF…ACON

Animated cursor (*.cur).

52 49 46 46 50 3A 00 00 41 43 4F 4E 4C 49 53 54  RIFFP:..ACONLIST

46 00 00 00 49 4E 46 4F 49 4E 41 4D 0B 00 00 00  F…INFOINAM….

RIFF…AVI

AVI movie  (*.avi).

52 49 46 46 88 51 5A 01 41 56 49 20 4C 49 53 54  RIFF.QZ.AVI LIST

46 01 00 00 68 64 72 6C 61 76 69 68 38 00 00 00  F…hdrlavih8……

SZDD

A file compressed with Microsoft program compress.exe  (*.??_ e.g. *.ex_ for compressed *.exe).

53 5A 44 44 88 F0 27 33 41 65 00 74 00 00 FF 4D  SZDD..’3Ae.t…M

5A 90 00 03 00 00 00 7D 04 F5 F0 FF FF 00 00 B8  Z……}……..

0x60 0xEA

Arj archive (*.arj).

60 EA 2E 00 22 0B 01 0A 10 00 02 EB EB BC 86 3A  `...”……….:

EB BC 86 3A 00 00 00 00 00 00 00 00 00 00 00 00  …:…………

0x78 0x01

DMG image for Mac (*.dmg).

78 01 ED 9D 0B 80 1D 55 7D FF 67 E6 3E F7 BE 76  x..….U}.g.>..v

49 78 04 44 5C F3 8F 2B 41 B2 5D 48 08 81 50 59  Ix.D\..+A.]H..PY

{\rtf

Document saved in Rich Text Format (RTF) (*.rtf).

7B 5C 72 74 66 31 5C 61 64 65 66 6C 61 6E 67 31  {\rtf1\adeflang1

30 32 35 5C 61 6E 73 69 5C 61 6E 73 69 63 70 67  025\ansi\ansicpg

0x7F ELF

Linux executable  (*.<no extension>, *.so).

7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00  .ELF…………

02 00 03 00 01 00 00 00 00 81 04 08 34 00 00 00  …………4…

0x89 PNG

An image saved in PNG format (*.png).

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52  .PNG……..IHDR

00 00 03 D5 00 00 02 78 08 02 00 00 00 E4 DD 57  …….x…….W

0xCA 0xFE 0xBA 0xBE (CAFEBABE)

Java file (*.class) or Mac Mach-O Universal binary (*.app).

CA FE BA BE 00 00 00 32 00 C0 0A 00 30 00 6A 09  …….2….0.j.

00 2F 00 6B 07 00 6C 08 00 6D 0A 00 03 00 6E 09  ./.k..l..m….n.

0xD0  0xCF  0x11 0xE0 (D0CF11E)

Compound OLE file from Microsoft  (*.doc, *.xls, *.msi, and others).

D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00  …………….

00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00  ……..>…….

0xED 0xAB 0xEE 0xDB

Red Hat Package Manager File (*.rpm).

ED AB EE DB 03 00 00 00 00 01 74 75 78 70 61 69  ….……tuxpai

6E 74 2D 30 2E 39 2E 32 30 2D 31 2E 66 38 5F 66  nt-0.9.20-1.f8_f

0xEF 0xBB 0xBF

Text encoded in UTF8 (*.txt, *.utf8, and others).

EF BB BF 54 68 69 73 20 69 73 20 61 20 73 69 6D  …This is a sim

70 6C 65 20 74 65 78 74 20 66 69 6C 65 20 2E 2E  ple text file ..

0xFF 0xD8…JFIF

Picture saved in a JPEG format (*.jpg, *.jpe, *.jpeg).

FF D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64  ……JFIF…..d

00 64 00 00 FF FE 00 12 41 64 6F 62 65 20 49 6D  .d……Adobe Im

0xFE 0xFF

Text encoded in UTF16BE (*.txt, and others).

FE FF 00 54 00 68 00 69 00 73 00 20 00 69 00 73  …T.h.i.s. .i.s

00 20 00 61 00 20 00 73 00 69 00 6D 00 70 00 6C  . .a. .s.i.m.p.l

0xFF 0xFE

Text encoded in UTF16LE (*.txt, and others).

FF FE 54 00 68 00 69 00 73 00 20 00 69 00 73 00  ..T.h.i.s. .i.s.

20 00 61 00 20 00 73 00 69 00 6D 00 70 00 6C 00   .a. .s.i.m.p.l.